Extracted

• • Target

    a9ffae175be0aec08fac2026601215e9_JaffaCakes118

  • Size

    511KB

  • MD5

    a9ffae175be0aec08fac2026601215e9

  • SHA1

    409af83dbdb7ac2188732b72ef39e9dea2fed1ae

  • SHA256

    2ed39be8a8fb7c8865ceefe8982287d1cd5d03871100865f549242460e08c449

  • SHA512

    275c5189832cbdae5d286ea01b8c146b32fafcb6a19dc9a75819fae4f03671b2293022f90d0910ac633e0dc20332d2eb7120875d799b02afd24e6153eb75ccd6

  • SSDEEP

    6144:SZw1WZEg3Zt17cVqSqOjgsVP/RG4vDuK8tFAnpLL/Y6afli96VT1cACTfgjdkAd:ScWaaAjBLG4buJgtY6LK1kfgjdkAd

  Score

  10^/10

  redlinesectopratdefense_evasiondiscoveryevasionexecutioninfostealerprivilege_escalationrattrojan

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Sectoprat family

    sectoprat

  • Turns off Windows Defender SpyNet reporting

    evasion

  • Windows security bypass

    evasiontrojan

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Suspicious use of SetThreadContext

  behavioral1behavioral2